diff options
author | Rob Crittenden <rcritten@redhat.com> | 2014-12-02 13:18:36 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-01-29 11:16:38 -0500 |
commit | 045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19 (patch) | |
tree | ba63a832f67c4c9a8ceee62669b52dd37a853680 /install/tools | |
parent | b382a77fc393a078ebbba8000284dd9abe75a3d5 (diff) | |
download | freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.tar.gz freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.tar.xz freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.zip |
Use new certmonger locking to prevent NSS database corruption.
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.
Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.
Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.
https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
Diffstat (limited to 'install/tools')
-rw-r--r-- | install/tools/ipa-upgradeconfig | 54 |
1 files changed, 53 insertions, 1 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index f672bbd8c..8ec6248b3 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -493,6 +493,53 @@ def enable_certificate_renewal(ca): return False +def certificate_renewal_stop_ca(ca): + """ + Validate the certmonger configuration on certificates that already + have renewal configured. + + As of certmonger 0.65 it now does locking from the point where it + generates the CSR to the end of the post-command. This is to ensure + that only one certmonger renewal, and hopefully, one process at a + time holds the NSS database open in read/write. + """ + root_logger.info('[Certificate renewal should stop the CA]') + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + nss_dir = dogtag.configured_constants().ALIAS_DIR + # Using the nickname find the certmonger request_id + criteria = (('cert_storage_location', nss_dir, certmonger.NPATH),('cert_nickname', 'auditSigningCert cert-pki-ca', None)) + id = certmonger.get_request_id(criteria) + if id is None: + root_logger.error('Unable to find certmonger request ID for auditSigning Cert') + return False + + if sysupgrade.get_upgrade_state('dogtag', 'stop_ca_during_renewal'): + return False + + # State not set, lets see if we are already configured + pre_command = certmonger.get_request_value(id, 'pre_certsave_command') + if pre_command is not None: + if pre_command.strip().endswith('stop_pkicad'): + root_logger.info('Already configured to stop CA') + return False + + # Ok, now we need to stop tracking, then we can start tracking them + # again with new configuration: + cainstance.stop_tracking_certificates(dogtag.configured_constants()) + if ca.is_master(): + ca.configure_renewal() + else: + ca.configure_certmonger_renewal() + ca.configure_clone_renewal() + ca.configure_agent_renewal() + ca.track_servercert() + sysupgrade.set_upgrade_state('dogtag', 'stop_ca_during_renewal', True) + root_logger.debug('CA subsystem certificate renewal configured to stop the CA') + return True + def copy_crl_file(old_path, new_path=None): """ Copy CRL to new location, update permissions and SELinux context @@ -711,7 +758,12 @@ def main(): bind.restart() except ipautil.CalledProcessError, e: root_logger.error("Failed to restart %s: %s", bind.service_name, e) - ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca, api.env.domain, fqdn) + ca_restart = any([ + ca_restart, + enable_certificate_renewal(ca), + upgrade_ipa_profile(ca, api.env.domain, fqdn), + certificate_renewal_stop_ca(ca), + ]) if ca_restart: root_logger.info('pki-ca configuration changed, restart pki-ca') |